-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 This is definitely a difficulty on my end as well, I would like to follow this thread if it happens to move over to a kerberos list.
On 09/19/2010 05:53 PM, Andrew Bartlett wrote: > On Sun, 2010-09-19 at 00:34 +0200, Michael Wood wrote: >> On 15 September 2010 20:39, Alex Waite <[email protected]> wrote: >>> Hey everyone, >>> I'm one of those crazy people willing to try setting up Samba4 alpha in a >>> small production environment as a DC. I've followed the Samba4 HowTo (which >>> is excellent by the way) and have a domain setup and functioning in a test >>> environment. >>> My production network, however, is not quite as nice as my test network. >>> I have convinced IT (I work for a group of research labs, independent of >>> the main IT group here) to delegate control of my department's subdomain to >>> a DNS server I control. However, rDNS has turned out to be a real sticking >>> point. Subnets are setup geographically here and I cannot have an entire >>> subnet assigned to my department. I've brought up using Classless >>> in-addr.arpa. delegation (RFC 2317) or setting up our own VLAN, but movement >>> has been slow on these options. >>> I've continued researching and it seems that it may be possible to setup >>> Kerberos without rDNS. I'm having a difficult time finding hard information >>> on this, so I wanted to ask the Samba community what they know about this, >>> and if it's possible configure Kerberos sans-rDNS to function correctly in a >>> Samba4 driven domain. >>> Thank you to everyone for their hard work on this project, and for taking >>> the time to write such good documentation. It really is quite helpful. >> >> I'm not sure reverse DNS is actually important for Kerberos to work. >> The samba4 provision script does not even set up reverse DNS. >> >> I've Cc'ed samba-technical for a better chance at an authoritative answer. > > The use of reverse DNS for Kerberos can introduce security holes and > Windows does not use it in that way. However, I think MIT Kerberos > might, if you are intending to use unix hosts. (It may also have > options to turn this off). > > (This security issue can be solved in various ways, Windows chose to do > so by putting the info about the alias names of a host in the KDC > database - ie AD). > > Andrew Bartlett > > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBAgAGBQJMl12VAAoJEERE2zkyxRdk0mgH/1Pw6j6O7LavxzZlDgt6s/oh mWL2V4xSKwbCrPnnGjmn+TQGbXXLUbxSy7v7C4cBJSE6P4+1Q5QAzWGvL8CE/3Qz WqoYlbofE3Omoeu3ZDZKyeK7GGP46mBNlGRfLhyf5GvuA5T2nT1kWqpcFE/kvWYu VtuG14DmzZ816vIy+XbKIsaYU9r0TE2kl0CwvwlnQ138zWPiILY7rD65wG4I7odV u8AbjjKUlG2idCde8KnCeaLa/tSt/uI1VVlNyUy3NeEHVYh4qM3HvScAzJ6swCAf AOyVqSilWvMCiR7uG9IVeR62worU28TRWQxt7cpD/H5alv8brjRqVfs4/12fVhA= =i4rz -----END PGP SIGNATURE----- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
